Handle HTTP Request Smuggling in API Gateway
0
Hello,
I have a spring boot application with api end points exposed. the EC2 is integrated with API Gateway with NLBs and ALBs. My security Team has raised Request Smuggling vulnerability in my API endpoint.
I cannot afford the migration of HTTP 2 migration and I had to continue wit HTTP 1.1 only. Is there any way I can reject the requests in API Gateway validating the headers for Content-length and Transfter-encoding so that the request is not reached to my server.
질문됨 9달 전795회 조회
1개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
0
You haven't mentioned which type of API Gateway you're using (REST or HTTP).
If using a REST API Gateway you can validate the request including the headers. So to prevent request smuggling you could block requests that have a header where "Transfer-Encoding" is "chunked".
관련 콘텐츠
AWS 공식업데이트됨 2년 전- AWS 공식업데이트됨 일 년 전
We also encountered the same issue during a security assessment. It appears that the AWS API gateway inherently drops the Transfer-Encoding header. Consequently, we were unable to implement request validation as suggested or enable WAF on the API gateway and add a rule to block requests with "Transfer-Encoding" set to "chunked". We were unable to find any references indicating that API gateways inherently drop the Transfer-Encoding header.
That's covered on this page in the documentation.